linux_dsm_epyc7002/net/tipc
Xin Long 9926cb5f8b tipc: change to check tipc_own_id to return in tipc_net_stop
When running a syz script, a panic occurred:

[  156.088228] BUG: KASAN: use-after-free in tipc_disc_timeout+0x9c9/0xb20 [tipc]
[  156.094315] Call Trace:
[  156.094844]  <IRQ>
[  156.095306]  dump_stack+0x7c/0xc0
[  156.097346]  print_address_description+0x65/0x22e
[  156.100445]  kasan_report.cold.3+0x37/0x7a
[  156.102402]  tipc_disc_timeout+0x9c9/0xb20 [tipc]
[  156.106517]  call_timer_fn+0x19a/0x610
[  156.112749]  run_timer_softirq+0xb51/0x1090

It was caused by the netns freed without deleting the discoverer timer,
while later on the netns would be accessed in the timer handler.

The timer should have been deleted by tipc_net_stop() when cleaning up a
netns. However, tipc has been able to enable a bearer and start d->timer
without the local node_addr set since Commit 52dfae5c85 ("tipc: obtain
node identity from interface by default"), which caused the timer not to
be deleted in tipc_net_stop() then.

So fix it in tipc_net_stop() by changing to check local node_id instead
of local node_addr, as Jon suggested.

While at it, remove the calling of tipc_nametbl_withdraw() there, since
tipc_nametbl_stop() will take of the nametbl's freeing after.

Fixes: 52dfae5c85 ("tipc: obtain node identity from interface by default")
Reported-by: syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-26 11:21:20 -07:00
..
addr.c
addr.h
bcast.c
bcast.h
bearer.c
bearer.h
core.c
core.h
diag.c
discover.c
discover.h
eth_media.c
group.c net: tipc: fix a missing check of nla_nest_start 2019-03-16 12:09:05 -07:00
group.h
ib_media.c
Kconfig
link.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-02-15 12:38:38 -08:00
link.h
Makefile
monitor.c
monitor.h
msg.c
msg.h tipc: fix link session and re-establish issues 2019-02-11 21:26:20 -08:00
name_distr.c
name_distr.h
name_table.c
name_table.h
net.c tipc: change to check tipc_own_id to return in tipc_net_stop 2019-03-26 11:21:20 -07:00
net.h
netlink_compat.c tipc: fix uninit-value in tipc_nl_compat_doit 2019-01-15 20:29:21 -08:00
netlink.c
netlink.h
node.c tipc: tipc clang warning 2019-03-23 21:45:59 -04:00
node.h
socket.c tipc: allow service ranges to be connect()'ed on RDM/DGRAM 2019-03-17 21:32:11 -07:00
socket.h
subscr.c
subscr.h
sysctl.c
topsrv.c tipc: fix cancellation of topology subscriptions 2019-03-21 09:09:04 -07:00
topsrv.h
trace.c tipc: remove unneeded semicolon in trace.c 2019-01-17 22:04:43 -08:00
trace.h
udp_media.c
udp_media.h